Thursday, September 7, 2017

Equifax data breach

Just read about this hack -- 143 million Americans just had their personal financial information stolen from Equifax.

Aside from a damage control message, they have offered to sign everyone up for free for their credit monitoring service called TrustedID.  What they don't tell us upfront, in a typical sneaky pretending-to-care-but-really-don't fashion, is that they are offering it only for one year.  This means after the first year we are on our own.  In fact, it's a great sales strategy, because they would expect people to continue to enroll in this service after the first free year, paying out of pocket and helping increase their revenues.

Per the terms of service, if one does accept the free offer, one would waive one's right to participate in any class action lawsuits against them.  Not that those are worth anything for the consumer.

What they should have offered

At the very least, Equifax should instead have offered everyone a choice of free service from their own and competitors' offerings since, at this point, why would anyone want to trust Equifax to do credit monitoring on their behalf?  And it should have been offered for life since the data can be misused pretty much forever.  They are already making money by selling consumer information to banks and other financial institutions.


Three of their company executives dumped a bunch of stock before the data breach was revealed to the public.

In addition, their security head was a music major!

Was your data compromised?

The official link provided by Equifax to check if your data was impacted is here.  Unfortunately, there is no way to tell if the above link is even reporting accurate results.

Freezing credit files

Many folks recommend calling the credit bureaus and freezing your credit files.  Freezing must be done at all of the agencies.  So far, I'm aware of the following:
Most folks are only aware of the big 3 in this space -- Equifax, Experian, Transunion -- but freezing only those would provide only partial protection.

Credit is not the only problem

As noted in this article:
What’s more likely is that stolen information will be used to take over existing accounts, such as banking, brokerage, phone service, and retirement accounts.
And even more as described in this article:
If the stolen information from Equifax gets into the wrong hands, experts say data thieves can open bank accounts, lines of credit, new credit cards and even drivers' licenses in your name. They can saddle you with speeding tickets, steal your tax refund, swipe your Social Security check and prevent you from getting prescription drugs.
What else can be done?

Sign up for a credit monitoring service.  Experian is offering this for free.

Buy identity theft insurance, preferably from a regular insurance company--the same one that sells your renters or homeowners policy.  Some policies will cover financial losses (it is moot as to whether this is needed because assets are typically restored once it is established that fraud was involved) and pay for someone to fix the issue when it happens.

Simplify your financial life and check all of your accounts often -- bank accounts, credit cards, brokerage accounts. That way, if an account is hacked, one may be able to detect the issue sooner rather than later.

Equifax's free offering

Personally, I will not be signing up for any services offered by Equifax.  Based on the way they have handled the data breach, I don't think they can be trusted.  As this article notes:
Equifax already waited six weeks to tell the world about the hack -- that gave hackers a six-week jump on all of us, Nunnikhoven noted.
The lack of urgency is a clear indication that the management at Equifax is completely clueless about the severity of the problem that they have created for the public.  The information that was stolen can be misused for years to come.

But, worse, they had 2 whole months to fix the vulnerability that was exploited in this attack and did nothing about it as noted in this article:
Equifax told USA TODAY late Wednesday that the criminals who potentially gained access to the personal data of up to 143 million Americans had exploited a website application vulnerability known as Apache Struts CVE-2017-5638.

The vulnerability was patched on 7 March 2017, the same day it was announced, the foundation said. Modifications were made on March 10, according to the National Vulnerability Database.

Equifax said that the unauthorized access began in mid-May. That's a period of two months in which the company could have, and should have, say experts, dealt with the problem.
The long term fix

Longer term, the US needs to come up with a better way for authentication than using social security numbers, as noted in this article:
The Republic of Estonia uses such a system to identify members of its e-Residency program, even with no physical presence. Each e-resident has a public numerical key that serves as a unique identifier, and a corresponding private key that is never revealed. During the authentication process, the private key is used to generate an irreversible digital signature. The signature is shared and verified by the public key without ever exposing the private key.
Problems are not limited to Equifax

I have had credit monitoring services from a different bureau, courtesy of my data being hacked from several financial and health care companies.  Whenever I have tried to access customer service at that bureau, I find it to be so incompetent that I wonder whether the company even deserves to be in business, let along be in the business of managing the most sensitive data of all Americans.

Additional reading/resources

No comments:

Post a Comment